【CESA-2016:2124】 最新バージョンの kernel が、Red Hat Enterprise Linux 5 からご利用いただけるようになりました

CESA-2016:2124

最新バージョンの kernel が、Red Hat Enterprise Linux 5 からご利用いただけるようになりました。

Red Hat製品のセキュリティ及び品質は大変ご好評いただいております。

今回の最新バージョンVulnerability Scoring System(CVSS)は、各セキュリティホールへのアクセス安全面を厳重にクラス分けし、確実・安全に詳細レポートをお送りいたします。参照セクションのリンクをクリックしてください。

The kernel packages contain the Linux kernel, the core of any Linux operating
system.

Security Fix(es):

* A race condition was found in the way the Linux kernel’s memory subsystem
handled the copy-on-write (COW) breakage of private read-only memory mappings.
An unprivileged, local user could use this flaw to gain write access to
otherwise read-only memory mappings and thus increase their privileges on the
system. (CVE-2016-5195, Important)

* It was found that stacking a file system over procfs in the Linux kernel could
lead to a kernel stack overflow due to deep nesting, as demonstrated by mounting
ecryptfs over procfs and creating a recursion by mapping /proc/environ. An
unprivileged, local user could potentially use this flaw to escalate their
privileges on the system. (CVE-2016-1583, Important)

Red Hat would like to thank Phil Oester for reporting CVE-2016-5195.

Bug Fix(es):

* In some cases, a kernel crash or file system corruption occurred when running
journal mode ‘ordered’. The kernel crash was caused by a null pointer
dereference due to a race condition between two journal functions. The file
system corruption occurred due to a race condition between the
do_get_write_access() function and buffer writeout. This update fixes both race
conditions. As a result, neither the kernel crash, nor the file system
corruption now occur. (BZ#1067708)

* Prior to this update, some Global File System 2 (GFS2) files had incorrect
time stamp values due to two problems with handling time stamps of such files.
The first problem concerned the atime time stamp, which ended up with an
arbitrary value ahead of the actual value, when a GFS2 file was accessed. The
second problem was related to the mtime and ctime time stamp updates, which got
lost when a GFS2 file was written to from one node and read from or written to
from another node. With this update, a set of patches has been applied that fix
these problems. As a result, the time stamps of GFS2 files are now handled
correctly. (BZ#1374861)

Bugs Fixed

1344721 – CVE-2016-1583 kernel: Stack overflow via ecryptfs and /proc/$pid/environ
1384344 – CVE-2016-5195 kernel: mm: privilege escalation via MAP_PRIVATE COW breakage

【CESA-2016:2105】 最新バージョンの kernel が、Red Hat Enterprise Linux 6 からご利用いただけるようになりました

CESA-2016:2105

最新バージョンの kernel が、Red Hat Enterprise Linux 6 からご利用いただけるようになりました。

Red Hat製品のセキュリティ及び品質は大変ご好評いただいております。

今回の最新バージョンVulnerability Scoring System(CVSS)は、各セキュリティホールへのアクセス安全面を厳重にクラス分けし、確実・安全に詳細レポートをお送りいたします。参照セクションのリンクをクリックしてください。

An update for kernel is now available for Red Hat Enterprise Linux 6.

Red Hat Product Security has rated this update as having a security impact of
Important. A Common Vulnerability Scoring System (CVSS) base score, which gives
a detailed severity rating, is available for each vulnerability from the CVE
link(s) in the References section.

The kernel packages contain the Linux kernel, the core of any Linux operating
system.

Security Fix(es):

* A race condition was found in the way the Linux kernel’s memory subsystem
handled the copy-on-write (COW) breakage of private read-only memory mappings.
An unprivileged, local user could use this flaw to gain write access to
otherwise read-only memory mappings and thus increase their privileges on the
system. (CVE-2016-5195, Important)

Red Hat would like to thank Phil Oester for reporting this issue.

Bugs Fixed

1384344 – CVE-2016-5195 kernel: mm: privilege escalation via MAP_PRIVATE COW breakage

【CESA-2016:2098】 最新バージョンの kernel がRed Hat Enterprise Linux 7 からご利用いただけるようになりました

CESA-2016:2098

最新バージョンの kernel が、Red Hat Enterprise Linux 7 からご利用いただけるようになりました。

Red Hat製品のセキュリティ及び品質は大変ご好評いただいております。

今回の最新バージョンVulnerability Scoring System(CVSS)は、各セキュリティホールへのアクセス安全面を厳重にクラス分けし、確実・安全に詳細レポートをお送りいたします。参照セクションのリンクをクリックしてください。
Security Fix(es):

* A race condition was found in the way the Linux kernel’s memory subsystem
handled the copy-on-write (COW) breakage of private read-only memory mappings.
An unprivileged, local user could use this flaw to gain write access to
otherwise read-only memory mappings and thus increase their privileges on the
system. (CVE-2016-5195, Important)

Red Hat would like to thank Phil Oester for reporting this issue.

Bugs Fixed

1384344 – CVE-2016-5195 kernel: mm: privilege escalation via MAP_PRIVATE COW breakage

【CESA-2016:2094】最新バージョンの bind97 が、Red Hat Enterprise Linux 5 からご利用いただけるようになりました

CESA-2016:2094

最新バージョンの bind97 が、Red Hat Enterprise Linux 5 からご利用いただけるようになりました。

Red Hat製品のセキュリティ及び品質は大変ご好評いただいております。

今回の最新バージョンVulnerability Scoring System(CVSS)は、各セキュリティホールへのアクセス安全面を厳重にクラス分けし、確実・安全に詳細レポートをお送りいたします。参照セクションのリンクをクリックしてください。

 

The Berkeley Internet Name Domain (BIND) is an implementation of the Domain Name
System (DNS) protocols. BIND includes a DNS server (named); a resolver library
(routines for applications to use when interfacing with DNS); and tools for
verifying that the DNS server is operating correctly.

Security Fix(es):

* A denial of service flaw was found in the way BIND handled packets with
malformed options. A remote attacker could use this flaw to make named exit
unexpectedly with an assertion failure via a specially crafted DNS packet.
(CVE-2016-2848)

Bugs Fixed

1385450 – CVE-2016-2848 bind: assertion failure triggered by a packet with malformed options

 

【CESA-2016:2093】最新バージョンの bind が、Red Hat Enterprise Linux 5 / 6 からご利用いただけるようになりました

CESA-2016:2093

最新バージョンの bind が、Red Hat Enterprise Linux 5 / 6 からご利用いただけるようになりました。
今回の最新バージョン Vulnerability Scoring System (CVSS) は、各セキュリティホールへのアクセス安全面を厳重にクラス分けし、確実・安全に詳細レポートをお送りいたします。参照セクションのリンクをクリックしてください。

The Berkeley Internet Name Domain (BIND) is an implementation of the Domain Name

System (DNS) protocols. BIND includes a DNS server (named); a resolver library
(routines for applications to use when interfacing with DNS); and tools for
verifying that the DNS server is operating correctly.

Security Fix(es)

* A denial of service flaw was found in the way BIND handled responses containing a DNAME answer. A remote attacker could use this flaw to make named exit unexpectedly with an assertion failure via a specially crafted DNS response. (CVE-2016-8864)
Red Hat would like to thank ISC for reporting this issue. Upstream acknowledges
Tony Finch (University of Cambridge) and Marco Davids (SIDN Labs) as the original reporters.

Bugs fixed

Bug 1389652 – (CVE-2016-8864) CVE-2016-8864 bind: assertion failure while handling responses containing a DNAME answer
https://bugzilla.redhat.com/show_bug.cgi?id=1389652

 

 

 

 

【CESA-2016:2079】最新バージョンの java-1.8.0-openjdk が、Red Hat Enterprise Linux 6 / 7 からご利用いただけるようになりました

CESA-2016:2079

最新バージョンの java-1.8.0-openjdk が、Red Hat Enterprise Linux 6 / 7 からご利用いただけるようになりました。
今回の最新バージョン Vulnerability Scoring System (CVSS) は、各セキュリティホールへのアクセス安全面を厳重にクラス分けし、確実・安全に詳細レポートをお送りいたします。参照セクションのリンクをクリックしてください。

The java-1.8.0-openjdk packages provide the OpenJDK 8 Java Runtime Environment and the OpenJDK 8 Java Software Development Kit.

Security Fix(es)

* It was discovered that the Hotspot component of OpenJDK did not properly check arguments of the System.arraycopy() function in certain cases. An untrusted Java application or applet could use this flaw to corrupt virtual machine’s memory
and completely bypass Java sandbox restrictions. (CVE-2016-5582)

* It was discovered that the Hotspot component of OpenJDK did not properly check received Java Debug Wire Protocol (JDWP) packets. An attacker could possibly use this flaw to send debugging commands to a Java program running with debugging enabled if they could make victim’s browser send HTTP requests to the JDWP port of the debugged application. (CVE-2016-5573)

* It was discovered that the Libraries component of OpenJDK did not restrict the set of algorithms used for Jar integrity verification. This flaw could allow an attacker to modify content of the Jar file that used weak signing key or hash algorithm. (CVE-2016-5542)

Note: After this update, MD2 hash algorithm and RSA keys with less than 1024 bits are no longer allowed to be used for Jar integrity verification by default. MD5 hash algorithm is expected to be disabled by default in the future updates. A newly introduced security property jdk.jar.disabledAlgorithms can be used to control the set of disabled algorithms.

* A flaw was found in the way the JMX component of OpenJDK handled classloaders. An untrusted Java application or applet could use this flaw to bypass certain Java sandbox restrictions. (CVE-2016-5554)

* A flaw was found in the way the Networking component of OpenJDK handled HTTP proxy authentication. A Java application could possibly expose HTTPS server authentication credentials via a plain text network connection to an HTTP proxy if proxy asked for authentication. (CVE-2016-5597)

Note: After this update, Basic HTTP proxy authentication can no longer be used when tunneling HTTPS connection through an HTTP proxy. Newly introduced system properties jdk.http.auth.proxying.disabledSchemes and jdk.http.auth.tunneling.disabledSchemes can be used to control which
authentication schemes can be requested by an HTTP proxy when proxying HTTP and HTTPS connections respectively.

Note: If the web browser plug-in provided by the icedtea-web package was installed, the issues exposed via Java applets could have been exploited without user interaction if a user visited a malicious website.

 

Bugs fixed

(CVE-2016-5582) CVE-2016-5582 OpenJDK: incomplete type checks of System.arraycopy arguments (Hotspot, 8160591
https://bugzilla.redhat.com/show_bug.cgi?id=1385402

Bug 1385544 – (CVE-2016-5573) CVE-2016-5573 OpenJDK: insufficient checks of JDWP packets (Hotspot, 8159519
https://bugzilla.redhat.com/show_bug.cgi?id=1385544

Bug 1385714 – (CVE-2016-5554) CVE-2016-5554 OpenJDK: insufficient classloader consistency checks in ClassLoaderWithRepository (JMX, 8157739)
https://bugzilla.redhat.com/show_bug.cgi?id=1385714

Bug 1385723 – (CVE-2016-5542) CVE-2016-5542 OpenJDK: missing algorithm restrictions for jar verification (Libraries, 8155973)
http://centoserrata.nagater.net/item/CESA-2016-2079-CentOS-6.Security.i386.x86_64.html

Bug 1386103 – (CVE-2016-5597) CVE-2016-5597 OpenJDK: exposure of server authentication credentials to proxy (Networking, 8160838)
https://bugzilla.redhat.com/show_bug.cgi?id=1386103

 

 

【CESA-2016:2046】最新バージョンの tomcat が、Red Hat Enterprise Linux 7 からご利用いただけるようになりました

CESA-2016:2046

最新バージョンの tomcat が、Red Hat Enterprise Linux 7 からご利用いただけるようになりました。
今回の最新バージョン Vulnerability Scoring System (CVSS) は、各セキュリティホールへのアクセス安全面を厳重にクラス分けし、確実・安全に詳細レポートをお送りいたします。
参照セクションのリンクをクリックしてください。

Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages (JSP) technologies.

 

Security Fix(es)

 

* It was discovered that the Tomcat packages installed configuration file/usr/lib/tmpfiles.d/tomcat.conf writeable to the tomcat group. A member of the group or a malicious web application deployed on Tomcat could use this flaw to escalate their privileges. (CVE-2016-5425)
* It was discovered that the Tomcat packages installed certain configuration files read by the Tomcat initialization script as writeable to the tomcat group. A member of the group or a malicious web application deployed on Tomcat could use this flaw to escalate their privileges. (CVE-2016-6325)
* It was found that the expression language resolver evaluated expressions within a privileged code section. A malicious web application could use this flaw to bypass security manager protections. (CVE-2014-7810)
* It was discovered that tomcat used the value of the Proxy header from HTTP requests to initialize the HTTP_PROXY environment variable for CGI scripts, which in turn was incorrectly used by certain HTTP client implementations to configure the proxy for outgoing HTTP requests. A remote attacker could possibly use this flaw to redirect HTTP requests performed by a CGI script to an attacker-controlled proxy via a malicious HTTP request. (CVE-2016-5388)
* A session fixation flaw was found in the way Tomcat recycled the requestedSessionSSL field. If at least one web application was configured to use
the SSL session ID as the HTTP session ID, an attacker could reuse a previously used session ID for further requests. (CVE-2015-5346)
Red Hat would like to thank Dawid Golunski (http://legalhackers.com) for reporting CVE-2016-5425 and Scott Geary (VendHQ) for reporting CVE-2016-5388. The CVE-2016-6325 issue was discovered by Red Hat Product Security.

Bug Fixed
Bug 1222573 – (CVE-2014-7810) CVE-2014-7810 Tomcat/JbossWeb: security manager bypass via EL expressions
https://bugzilla.redhat.com/show_bug.cgi?id=1222573
Bug 1311085 – (CVE-2015-5346) CVE-2015-5346 tomcat: Session fixation
https://bugzilla.redhat.com/show_bug.cgi?id=1311085
Bug 1353809 – (CVE-2016-5388) CVE-2016-5388 Tomcat: CGI sets environmental variable based on user supplied Proxy request header
https://bugzilla.redhat.com/show_bug.cgi?id=1353809
Bug 1362545 – (CVE-2016-5425) CVE-2016-5425 tomcat: Local privilege escalation via systemd-tmpfiles service
https://bugzilla.redhat.com/show_bug.cgi?id=1362545
Bug 1367447 – (CVE-2016-6325) CVE-2016-6325 tomcat: tomcat writable config files allow privilege escalation
https://bugzilla.redhat.com/show_bug.cgi?id=1367447

 

 

【CEBA-2016:2047】最新バージョンの kernel が、Red Hat Enterprise Linux 7 からご利用いただけるようになりました

CEBA-2016:2047

最新バージョンの kernel が、Red Hat Enterprise Linux 7 からご利用いただけるようになりました。

Red Hat製品のセキュリティ及び品質は大変ご好評いただいております。

今回の最新バージョンVulnerability Scoring System(CVSS)は、各セキュリティホールへのアクセス安全面を厳重にクラス分けし、確実・安全に詳細レポートをお送りいたします。参照セクションのリンクをクリックしてください。

The kernel packages contain the Linux kernel, the core of any Linux operating
system.

Security Fix(es):

* Linux kernel built with the 802.1Q/802.1ad VLAN(CONFIG_VLAN_8021Q) OR Virtual
eXtensible Local Area Network(CONFIG_VXLAN) with Transparent Ethernet
Bridging(TEB) GRO support, is vulnerable to a stack overflow issue. It could
occur while receiving large packets via GRO path as an unlimited recursion could
unfold in both VLAN and TEB modules leading to a stack corruption in the kernel.
(CVE-2016-7039, Important)

Bugs Fixed

1375944 – CVE-2016-7039 kernel: remotely triggerable unbounded recursion in the vlan gro code leading to a kernel crash

 

【CEBA-2016:2045】最新バージョンのtomcat6 が、Red Hat Enterprise Linux 6 からご利用いただけるようになりました

CEBA-2016:2045

最新バージョンのtomcat6 が、Red Hat Enterprise Linux 6 からご利用いただけるようになりました。

Red Hat製品のセキュリティ及び品質は大変ご好評いただいております。

今回の最新バージョンVulnerability Scoring System(CVSS)は、各セキュリティホールへのアクセス安全面を厳重にクラス分けし、確実・安全に詳細レポートをお送りいたします。参照セクションのリンクをクリックしてください。

Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages
(JSP) technologies.

Security Fix(es):

* It was discovered that the Tomcat packages installed certain configuration
files read by the Tomcat initialization script as writeable to the tomcat group.
A member of the group or a malicious web application deployed on Tomcat could
use this flaw to escalate their privileges. (CVE-2016-6325)

* It was found that several Tomcat session persistence mechanisms could allow a
remote, authenticated user to bypass intended SecurityManager restrictions and
execute arbitrary code in a privileged context via a web application that placed
a crafted object in a session. (CVE-2016-0714)

* It was discovered that tomcat used the value of the Proxy header from HTTP
requests to initialize the HTTP_PROXY environment variable for CGI scripts,
which in turn was incorrectly used by certain HTTP client implementations to
configure the proxy for outgoing HTTP requests. A remote attacker could possibly
use this flaw to redirect HTTP requests performed by a CGI script to an
attacker-controlled proxy via a malicious HTTP request. (CVE-2016-5388)

* A directory traversal flaw was found in Tomcat’s RequestUtil.java. A remote,
authenticated user could use this flaw to bypass intended SecurityManager
restrictions and list a parent directory via a ‘/..’ in a pathname used by a web
application in a getResource, getResourceAsStream, or getResourcePaths call, as
demonstrated by the $CATALINA_BASE/webapps directory. (CVE-2015-5174)

* It was found that Tomcat could reveal the presence of a directory even when
that directory was protected by a security constraint. A user could make a
request to a directory via a URL not ending with a slash and, depending on
whether Tomcat redirected that request, could confirm whether that directory
existed. (CVE-2015-5345)

* It was found that Tomcat allowed the StatusManagerServlet to be loaded by a
web application when a security manager was configured. This allowed a web
application to list all deployed web applications and expose sensitive
information such as session IDs. (CVE-2016-0706)

Red Hat would like to thank Scott Geary (VendHQ) for reporting CVE-2016-5388.
The CVE-2016-6325 issue was discovered by Red Hat Product Security.

Bug Fix(es):

* Due to a bug in the tomcat6 spec file, the catalina.out file’s md5sum, size,
and mtime attributes were compared to the file’s attributes at installation
time. Because these attributes change after the service is started, the “rpm -V”
command previously failed. With this update, the attributes mentioned above are
ignored in the RPM verification and the catalina.out file now passes the
verification check. (BZ#1357123)

Bugs Fixed

1265698 – CVE-2015-5174 tomcat: URL Normalization issue
1311082 – CVE-2016-0714 tomcat: Security Manager bypass via persistence mechanisms
1311087 – CVE-2016-0706 tomcat: security manager bypass via StatusManagerServlet
1311089 – CVE-2015-5345 tomcat: directory disclosure
1353809 – CVE-2016-5388 Tomcat: CGI sets environmental variable based on user supplied Proxy request header
1357123 – rpm -V tomcat6 fails due on /var/log/tomcat6/catalina.out [rhel-6.8.z]
1367447 – CVE-2016-6325 tomcat: tomcat writable config files allow privilege escalation

【CEBA-2016:2006 】最新バージョンの kernel が、Red Hat Enterprise Linux 6 からご利用いただけるようになりました

CEBA-2016:2006

最新バージョンの kernel が、Red Hat Enterprise Linux 6 からご利用いただけるようになりました。

Red Hat製品のセキュリティ及び品質は大変ご好評いただいております。

今回の最新バージョンVulnerability Scoring System(CVSS)は、各セキュリティホールへのアクセス安全面を厳重にクラス分けし、確実・安全に詳細レポートをお送りいたします。参照セクションのリンクをクリックしてください。

The kernel packages contain the Linux kernel, the core of any Linux operating
system.

Security Fix(es):

* A flaw was found in the Linux kernel’s keyring handling code, where in
key_reject_and_link() an uninitialized variable would eventually lead to
arbitrary free address which could allow attacker to use a use-after-free style
attack. (CVE-2016-4470, Important)

* A heap-based buffer overflow vulnerability was found in the Linux kernel’s
hiddev driver. This flaw could allow a local attacker to corrupt kernel memory,
possible privilege escalation or crashing the system. (CVE-2016-5829, Moderate)

The CVE-2016-4470 issue was discovered by David Howells (Red Hat Inc.).

Bug Fix(es):

* Previously, when two NFS shares with different security settings were mounted,
the I/O operations to the kerberos-authenticated mount caused the
RPC_CRED_KEY_EXPIRE_SOON parameter to be set, but the parameter was not unset
when performing the I/O operations on the sec=sys mount. Consequently, writes to
both NFS shares had the same parameters, regardless of their security settings.
This update fixes this problem by moving the NO_CRKEY_TIMEOUT parameter to the
auth->au_flags field. As a result, NFS shares with different security settings
are now handled as expected. (BZ#1366962)

* In some circumstances, resetting a Fibre Channel over Ethernet (FCoE)
interface could lead to a kernel panic, due to invalid information extracted
from the FCoE header. This update adds santiy checking to the cpu number
extracted from the FCoE header. This ensures that subsequent operations address
a valid cpu, and eliminates the kernel panic. (BZ#1359036)

* Prior to this update, the following problems occurred with the way GSF2
transitioned files and directories from the “unlinked” state to the “free”
state:

The numbers reported for the df and the du commands in some cases got out of
sync, which caused blocks in the file system to appear missing. The blocks were
not actually missing, but they were left in the “unlinked” state.

In some circumstances, GFS2 referenced a cluster lock that was already deleted,
which led to a kernel panic.

If an object was deleted and its space reused as a different object, GFS2
sometimes deleted the existing one, which caused file system corruption.

With this update, the transition from “unlinked” to “free” state has been fixed.
As a result, none of these three problems occur anymore. (BZ#1359037)

* Previously, the GFS2 file system in some cases became unresponsive due to lock
dependency problems between inodes and the cluster lock. This occurred most
frequently on nearly full file systems where files and directories were being
deleted and recreated at the same block location at the same time. With this
update, a set of patches has been applied to fix these lock dependencies. As a
result, GFS2 no longer hangs in the described circumstances. (BZ#1359038)

* When used with controllers that do not support DCMD- MR_DCMD_PD_LIST_QUERY,
the megaraid_sas driver can go into infinite error reporting loop of error
reporting messages. This could cause difficulties with finding other important
log messages, or even it could cause the disk to overflow. This bug has been
fixed by ignoring the DCMD MR_DCMD_PD_LIST_QUERY query for controllers which do
not support it and sending the DCMD SUCCESS status to the AEN functions. As a
result, the error messages no longer appear when there is a change in the status
of one of the arrays. (BZ#1359039)

Bugs Fixed

1341716 – CVE-2016-4470 kernel: Uninitialized variable in request_key handling causes kernel crash in error handling path
1350509 – CVE-2016-5829 kernel: Heap buffer overflow in hiddev driver